Advisory GHSA-2v93-vp82-cjv8 references a vulnerability in the following Go modules:
Description:
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: www.velocidex.com/golang/velociraptor
versions:
- fixed: 0.76.4
vulnerable_at: 0.76.2
summary: Velocidex Velociraptor has an Incorrect Authorization issue in www.velocidex.com/golang/velociraptor
cves:
- CVE-2026-6863
ghsas:
- GHSA-2v93-vp82-cjv8
references:
- advisory: https://github.com/advisories/GHSA-2v93-vp82-cjv8
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-6863
- web: https://docs.velociraptor.app/announcements/advisories/cve-2026-6863
source:
id: GHSA-2v93-vp82-cjv8
created: 2026-05-11T15:01:21.157270497Z
review_status: UNREVIEWED
Advisory GHSA-2v93-vp82-cjv8 references a vulnerability in the following Go modules:
Description:
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.